I'm trying to understand the current ability of OPNSense (25.1 as of this post) to handle dynamic NPTv6 rulesets for IPv6 routing. My setup is (I would think) pretty typical of any multihomed arrangement for a small/home network with redundant ISP connections, much as described in RFC 7157 scenario 2 (https://www.rfc-editor.org/rfc/rfc7157.html#section-3).
My particular intent is to use WAN1 as my primary connection and WAN2 only for failover. I want to assign PD /64 #0 from WAN1 to my LAN network (notably I do not want to assign a ULA prefix, for the same reason identified in this thread (https://forum.opnsense.org/index.php?topic=21375.msg100675#msg100675)—Windows hosts expect GUA addressing, not ULA, for global routing, and that seems reasonable to me as well).
So for my network, I want/have:
WAN1:
- is my primary upstream egress route
- receives PD /60 from upstream
- receives NA /128 on a different prefix than the assigned PD
WAN2:
- failover egress route
- receives PD /64 from upstream
- receives NA /128 on a different prefix than the assigned PD
LAN:
- dynamically assigned GUA /64 prefix #0 from WAN1 PD
- optionally, would be nice to additionally assign a static ULA /64, and the second dynamic delegated prefix from WAN2, but not necessary
What's working:
- OPNSense seems to be able to dynamically assign PD #0 from WAN1 -> LAN (this is opaquely called "track interface" on the LAN interface configuration, "dynamic external delegated prefix" would be much clearer wording in my mind), so this part is working nicely already.
- Failover from WAN1 -> WAN2, triggered on dropped or latent packets over WAN1, can be configured, and seems to be working.
- I can set up a manual/static NPTv6 rule on WAN2 to route IPv6 traffic LAN <-> WAN2 in a failover situation, but this relies on me manually digging in to find the delegated WAN1 and WAN2 prefixes and then configuring the rule with those static prefixes. If either of my ISPs change delegated prefixes, my rule breaks.
What's not working:
- OPNSense doesn't allow configuring multiple IPv6 prefixes on the LAN, as far as I can tell. Hardly critical for me, but still it seems like it would be a useful feature.
- I really need to be able to configure NPTv6 rules that have dynamic source and target prefixes based on delegated prefixes from WAN1 and WAN2, but this doesn't seem supported at all. I see some chatter about dynamic NPTv6 rules in the forum and Github but I'm having trouble making sense of it, and at the end of the day it seems not to be implemented as far as I can tell.
- There is a "track interface" option in the NPTv6 rule dialog, but this seems to be for the target prefix only and, bewilderingly, seems to require that the interface the rule tracks, in turn tracks the NPTv6 interface (why would you ever want to do that??).
Can anyone verify that I'm understanding the current state of things correctly? I'd be happy to help any way I can, raising issues if needed, testing, coding (may be a bridge too far, but maybe)!
Thanks!
Quote from: pgalbraith on April 16, 2025, 07:07:55 PMOPNSense doesn't allow configuring multiple IPv6 prefixes on the LAN, as far as I can tell.
It does, but only one prefix can be dynamic - a single LAN interface can only track a single WAN interface.
You can configure additional, static prefixes by adding Virtual IPs to the LAN interface (Interfaces: Virtual IPs, add a /64 IP Alias).
Quote from: pgalbraith on April 16, 2025, 07:07:55 PMI really need to be able to configure NPTv6 rules that have dynamic source and target prefixes based on delegated prefixes from WAN1 and WAN2, but this doesn't seem supported at all.
A dynamic target prefix is supported, but the source prefix needs to be static. Static ULA or GUA (internal) to dynamic GUA (external) works, but dynamic GUA (internal) to dynamic GUA (external) doesn't.
Quote from: pgalbraith on April 16, 2025, 07:07:55 PMThere is a "track interface" option in the NPTv6 rule dialog, but this seems to be for the target prefix only and, bewilderingly, seems to require that the interface the rule tracks, in turn tracks the NPTv6 interface (why would you ever want to do that??).
Explicitly specifying a
Track Interface in the NPTv6 rule is for advanced scenarios only. By default ("None"), if you don't specify an
External IPv6 Prefix, the prefix of the selected
Interface is used. Of course this only works if the WAN interface itself is configured with a /64, which is e. g. common for PPPoE. In your case (WAN2 only has a /128), you can set the
Optional prefix ID to 0 in the WAN2 settings. The received /64 PD will then be configured on the WAN2 interface itself and can be used by an NPTv6 rule.
This doesn't solve the dynamic internal prefix issue though. Currently, the only viable solution for this is using an outbound NAT rule instead of an NPTv6 rule.
Quote from: pgalbraith on April 16, 2025, 07:07:55 PM[...] testing, coding [...]
It might be possible to implement the current method for source prefixes, too. You could give it a try.
Keep in mind that if your WAN1 is down, you might not have internal GUAs at all. Sure, the received PD persists for some time, but if e. g. OPNsense gets rebooted, you only have ULAs.
Cheers
Maurice